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Abstract. We propose an authentication scheme where forgery (a.k.a. impersonation) 
seems infeasible without finding the prover's long-term private key. The latter would 
follow from solving the conjugacy search problem in the platform (noncommutative) 
semigroup, i.e., to recovering X from X^ 1 AX and A. The platform semigroup that we 
suggest here is the semigroup of n x n matrices over truncated multivariable polynomials 
over a ring. 



1. Introduction 

For a general theory of public-key authentication (a.k.a. identification) as well as early 
examples of authentication protocols, the reader is referred to [6]. In this paper, we 
propose an authentication scheme where recovering the private key from the public key 
would follow from solving the conjugacy search problem in the platform (noncommutative) 
semigroup, i.e., to recovering X from X~ x AX and A. There were some previous proposals 
based on this problem, see e.g. [3(8], so it would make sense to spell out what makes our 
proposal different: 

(1) Forgery (a.k.a. impersonation) seems infeasible without finding the prover's long- 
term private key. In other proposals, there is usually a "shortcut", i.e., a way for 
the adversary to pass the final test by the verifier without obtaining the prover's 
private key. In particular, in the proposal of [5] modeled on the Diffie-Hellman 
authentication scheme, there is an alternative (formally weaker) problem that is 
sufficient for the adversary to solve in order to impersonate the prover. Namely, 
it is sufficient for the adversary to obtain Y~ 1 X~ 1 AXY from X _1 AX, Y _1 AY, 
and A. 

(2) Our platform semigroup might be the first serious candidate for having generically 
hard conjugacy search problem. It can therefore be used with some other previ- 
ously suggested cryptographic protocols based on the conjugacy search problem, 
e.g. with the protocols in [1] or [3]; see also [7] for more examples. 

(3) One of the most important new features is that the verifier selects his final test 
randomly from a large series of tests. This is what makes it difficult for the 
adversary to impersonate the prover without obtaining her private key: if the 
adversary just "studies for the test", as weak students do, he/she at least should 
know what the test is. 
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(4) Unlike the proposals in [HE], our authentication scheme does not use the Feige- 
Fiat-Shamir idea [2] involving repeating several times a three-pass challenge- 
response step (to avoid predicting, by the adversary, the challenge with non- 
negligible probability). In our scheme, we have just one challenge and one re- 
sponse. 

(5) To prevent attacks by malicious verifier, there is an intermediate "commitment to 
challenge" step for the verifier because otherwise, malicious verifier might present 
the prover with a carefully selected challenge that may result in leaking information 
about the prover's private key at the response step. This is similar to the "chosen- 
plaintext attack" on an encryption protocol. 

Perhaps it is worth spelling out that in this paper, our main focus is on how to protect 
the prover's long-term private key from any information leaks during authentication ses- 
sions. We put less emphasis here on security of the prover's long-term private key against 
attacks on her long-term public key. 

2. The protocol, beta version 

In this section, we give a preliminary description of our authentication protocol. Here 
Alice is the prover and Bob the verifier. We call this a "beta version" of the protocol 
because what we describe here represents a single session; repeating this particular protocol 
several times can compromise the long-term private key of the prover. This is why extra 
care has to be taken to protect the long-term private key; this is done in the complete 
protocol described in the following section, while here, in an attempt to be helpful to the 
reader, we describe the "skeleton" of our scheme where all principal (i.e., non-technical) 
ideas are introduced. 

The platform ring G that we suggest is the ring of n x n matrices over iV-truncated 
fe-variable polynomials over a ring R. The reader is referred to our Section |4] for the 
definition of iV-truncated polynomials as well as for suggested values of parameters n, N, 
k, and the ring R. 

Protocol, beta version 

(i) Alice's public key is a pair of matrices {A,X~ l AX), where the matrix X £ G is 
Alice's long-term private key. The matrix A £ G does not have to be invertible. 

(ii) At the challenge step, Bob chooses a random matrix B from the ring G and sends 
it to Alice. (See the full version of the protocol in the next section for how to 
prevent Bob from choosing B maliciously.) 

(hi) Alice responds with the matrix X _1 BX. 

(iv) Bob selects a random word w(x,y) (without negative exponents on x or y), eval- 
uates the matrices Mi = w(A,B) and M2 = w{X~ l AX, X~ 1 BX), then computes 
their traces. If tr{M\) = tr{M2), he accepts authentication. If not, then rejects. 

The point of the final test is that M2 = w{X~ 1 AX, X~ 1 BX) should be equal to 
X~ l M\X = X~ l w{A, B)X. Therefore, since the matrices M\ and M2 are conjugate, 
they should, in particular, have the same trace. Note that the trace in this context works 
much better (from the security point of view) than, say, the determinant, because the 



3 



determinant is a multiplicative function, so the adversary could use any matrix with the 
same determinant as B in place of X~ l BX, and still pass the determinant test. With the 
trace, the situation is quite different, and there is no visible way for the adversary to pass 
the trace test for a random word w(x,y) unless he/she actually uses the matrix X~ 1 BX. 

3. The protocol, full version 

Compared to the beta version described in the previous section, the full protocol given 
in this section has an extra feature of protecting the long-term private key X from over- 
exposure. This is needed because upon accumulating sufficiently many matrices of the 
form X _1 BiX with different Bi but the same X, the adversary may recover X more eas- 
ily. To avoid this, we make Alice (the prover) apply a non-invertible endomorphism (i.e., 
a homomorphism into itself) of the ambient ring G to all participating matrices. This 
endomorphism is selected by Bob in the beginning of each new session. We also note yet 
another extra feature of the protocol below, namely, a (mild) "commitment to challenge" 
by the verifier (step 2(i)) preceding the actual challenge. Recall that this is done to prevent 
a malicious verifier from presenting the prover with a carefully selected challenge that may 
result in leaking information about the prover's private key at the response step. 

Protocol, full version 

(1) Alice's public key is a pair of matrices (A, X~ l AX), where the matrix X £ G is 
Alice's long-term private key. The matrix A £ G does not have to be invertible. 

(2) At the "commitment to challenge" step, Bob chooses: (i) a random matrix B from 
the ring G; (ii) a random non-invertible endomorphism <p of the ring G. Bob then 
sends B and ip to Alice. 

(3) In order to prevent a malicious Bob from presenting her with a carefully selected 
challenge, Alice publishes random positive integers p and q and asks Bob to send 
her random non-zero constants Ci,i = 1,2,3, and create his challenge in the form 
B' = a A + c 2 B + c 3 A p B q . 

(4) Upon receiving B', Alice responds with the matrix ip{X~ l B' X). 

(5) Bob selects a random word w(x,y) (without negative exponents on x or y), eval- 
uates the matrices M 1 = w(ip(A),tp(B')) and M 2 = w(ip(X~ 1 AX), ip(X~ 1 B'X)), 
then computes their traces. If tr(M\) = tr(M2), he accepts authentication. If not, 
then rejects. 

4. Parameters and key generation 

Our suggested platform ring G is the ring of all n x n matrices over truncated k- variable 
polynomials over the ring Zn. Truncated (more precisely, iV-truncated) k- variable polyno- 
mials over Zn are elements of the factor algebra of the algebra Zn[xi, . . . , Xk] of k- variable 
polynomials over Zn by the ideal generated by all monomials of degree N. In other words, 
iV-truncated A;- variable polynomials are expressions of the form a ji-..j s ' x ji ' ' ' x jsi 

0<s<N-l 

where aj 1 ,„j s are elements of Zn, and X j s £1X6 variables. 
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To make computation efficient for legitimate parties, we suggest to use sparse polynomi- 
als as entries in participating matrices. This means that there is an additional parameter 
d specifying the maximum number of non-zero coefficients in polynomials randomly gen- 
erated by Alice or Bob. Note that the number of different monomials of degree N m. k 
variables is M(N,k) = ( t k )- This number grows exponentially in k (assuming that N 
is greater than k). The number of different collections of d monomials (with non-zero co- 
efficients) of degree < iV is more than , which grows exponentially in both d and 
k. Concrete suggested values for parameters are given below; right now we just say that, 
if we denote the security parameter by t, we suggest that the number M(N, k) = ( N ^ k ) 
is at least t. At the same time, neither N nor k should exceed t. As for the parameter d, 
we require that d~n • k • log N • n 2 < t, where m is yet another parameter, defined in the 
following subsection 14. 1[ 

Since the questions of generating random invertible matrices or random polynomial 
endomorphism have not been addressed in the literature on cryptography before (to the 
best of our knowledge), we address these questions below. 

4.1. Generating matrices. Our notation here follows that of Section [3j 

Since the matrices A and B do not have to be invertible, they are easy to generate. We 
require that each entry is a \/d-sparse iV-truncated k- variable polynomial over Zn, which 
is generated the obvious way. Namely, one first chooses y/d random monomials of degree 
at most N— 1, then randomly chooses non-zero coefficients from Zn for these monomials. 

An invertible matrix X can be generated as a random product of m elementary matrices. 
A square matrix is called elementary if it differs from the identity matrix by exactly 
one non-zero element outside the diagonal. This single non-zero element is generated as 
described in the previous paragraph. Denote by E{j(u) the elementary matrix that has 
u in the (i, j)th place, i ^ j. 

We note that multiplying m elementary matrices may result in the number of non- 
zero coefficients in some of the entries growing exponentially in m. More precisely, when 
we multiply Eij(u) by Ejk(v), the result is Eik(uv), and the polynomial uv is no longer 
c?-sparse, but d 2 -sparse. However, this phenomenon is limited to products of elementary 
matrices of the form Eij(u)-Ejf-(v), and the expected maximum length of such "matching" 
chains in a product of m elementary n x n matrices is ^. We therefore require that 
d ~n ■ k • log N ■ n 2 < t, where t is the security parameter. 

4.2. Generating an endomorphism. At step 2 of the full protocol in Section O Bob 
has to generate a random non-invertible endomorphism <p of the ring G of matrices over 
iV-truncated fc-variable polynomials over Zn. 

Such an endomorphism is going to be naturally induced by an endomorphism of the 
ring of iV-truncated /c-variable polynomials over Zn. The latter endomorphism can be 
constructed as follows: ip : x j — > fj, where fj = fj(xi, . . . , Xk) are random sparse iV- 
truncated /invariable polynomials over Zn with zero constant term, which actually depend 
on (k — ko) variables only, i.e., ko variables are missing, where the parameter ko is specified 
in the following subsection. The zero constant term condition is needed for p to actually 
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be an endomorphism, i.e., to keep invariant the ideal generated by all monomials of degree 
N. For efficiency reasons, it makes sense to have the polynomials fj \/d-sparse. 

4.3. Suggested parameters. Suggested values for parameters of our scheme are: 

(1) The suggested value of n (the size of participating matrices) is n = 3. 

(2) Presently, N = 1000, d = 25, and k = 10 should be quite enough to meet the 
security conditions specified above. In particular, with these values of parameters, 
the number M(N,k) of different monomials is greater than 10 20 . 

(3) The matrix X (Alice's long-term private key) is generated by Alice as a product of 
m random elementary matrices, where the value for m is randomly selected from 
the interval n 3 < m < 2n 3 . 

(4) Parameter fco used in constructing a non-invertible endomorphism (subsection 14.21 
above) can be specified as follows: k^ is randomly selected from the interval | < 
k <f. 

(5) Values of random positive integers p and q in step 3 of the protocol in Section [3] can 
be bounded by 5. Non-zero constants q in the same step 3 are selected uniformly 
randomly from the set of all non-zero elements of Zn. 

(6) The suggested length of the word w(x,y) in step 5 of the protocol in Section [3] is 
10. 

4.4. Key size and key space. To conclude this section, we point out that the size of a 
random matrix in our scenario (e.g. Bob's commitment B) is \fd ■ k ■ log N ■ n 2 . The size 
of an invertible matrix X is, roughly, (d ■ k ■ log N + log n) ■ m. 

The size of the key space for the long-term private key (i.e., the matrix X) is, roughly, 
exp((d ■ k ■ log N + logra) • m). 

5. Cryptanalysis 

We start by discussing how the adversary, Eve, can attack Alice's long-term private key 
(the matrix X) directly, based just on the public key P = X~ l AX. The relevant problem 
is known as the conjugacy search problem. Note that the equation P = X~ l AX implies 
XP = AX, which translates into a system of n 2 linear equations for the entries of X, 
where n is the size of participating matrices. Thus, a natural way for Eve to attempt to 
find X would be to solve this system. However, there are some major obstacles along this 
way: 

(a) The matrix equation XP = AX is not equivalent to P = X~ l AX. The former 
equation has many solutions; for example, if X is a solution, then any matrix of 
the form X' = f{A) ■ X ■ g{P) is a solution, too, where f{A) and g(P) are arbitrary 
polynomials in the matrices A and P, respectively. However, only invertible ma- 
trices X' will be solutions of the equation P = X~ 1 AX. If participating matrices 
come from a ring where "generic" matrices are non-invertible (which is the case for 
our suggested platform ring), then Eve would have to add to the matrix equation 
XP = AX another equation XY = I, where X, Y are unknown matrices, and / is 
the identity matrix. This translates into a system of n 2 quadratic equations, not 
linear ones. 



6 



(b) As explained in the previous paragraph, Eve is facing a system of n 2 linear equa- 
tions and n 2 quadratic equations, with 2n 2 unknowns, over a ring R, which in 
our scheme is the ring of iV-truncated A;- variable polynomials over Zn. She can 
further translate this into a system of linear equations over Zn if she collects co- 
efficients at similar monomials, but this system is going to be huge: as explained 
in our Section 01 it is going to have more than 10 20 equations (by the number of 
monomials). Note that, although entries of all participating matrices are sparse 
polynomials, Eve does not know which monomials in the private matrix X occur 
with non-zero coefficients, which means she has to either engage all monomials 
in her equations or try all possible supports (i.e., collections of monomials with 
non-zero coefficients) of the entries of elementary matrices in a decomposition of 
X (see subsection 14. ip . 

(c) Eve may hope to get more information about the matrix X if she eavesdrops on 
several authentication sessions between legitimate parties. More specifically, she 
can accumulate several pairs of matrices of the form ((pi(Bi),(pi(X~ 1 BiX)). Note 
however that even if a pair like that yields some information, this is going to be 
information about the matrix ifi{X) rather than about X itself. To recover X 
from ifi(X) is impossible because ipi has a large kernel by design. 
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